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Abstract 

We give a protocol for the delegation of quantum computation on encrypted data. More specifically, 
we show that in a client-server scenario, where the client holds the encryption key for an encrypted quan¬ 
tum register held by the server, it is possible for the server to perform a universal set of quantum gates on 
the quantum data. All Clifford group gates are non-interactive, while the remaining non-Clifford group 
gate that we implement (the tz/8 gate) requires the client to prepare and send a single random auxil¬ 
iary qubit (chosen among four possibilities), and exchange classical communication. This construction 
improves on previous work, which requires either multiple auxiliary qubits or two-way quantum commu¬ 
nication. Using a reduction to an entanglement-based protocol, we show privacy against any adversarial 
server according to a simulation-based security definition. 


1 Introduction 

Today’s computing paradigm displays seemingly contradictory requirements. On one hand, computations 
are often delegated to remote powerful computing centers, while on the other hand, the data that is being 
processed is expected to remain private. We thus face the conundrum of wanting to compute on encrypted 
data. One specific scenario that allows data to be encrypted by one party and processed by another is known 
as fully homomorphic encryption II151I20I . 

This papeiQ addresses the problem of performing quantum computations on encrypted quantum data. 
In one way, we relax the requirements of fully homomorphic encryption by allowing interaction, but at 
the same time, we strengthen the requirements by asking for information-theoretic security. This is an 
asymmetric scenario—it deals with a quantum server (or quantum cloud architecture), a particularly relevant 
scenario due to the current challenges in building quantum computational devices. This scenario is also 
considered in |[T]|ll|9l. We show that an almost-classical client can delegate the execution of any quantum 
computation to a remote quantum server, and that this computation can be performed on quantum data that is 
encrypted via the quantum one-time pad Q ; informally, privacy is maintained since the server never learns 
the encryption key. An important requirement of any protocol for delegated computation on encrypted data 
is that the operations performed by the client should be significantly easier to perform than the computation 
itself. In our scenario, we achieve this since the client does not require the capacity of universal quantum 

'This paper was initially submitted in its current form (up to minor corrections, updates and formatting) to the Proceedings of 
the 32nd International Cryptology Conference (CRYPTO 2012), where it was rejected. The results were then improved to include 
an experimental demonstration and eventually appeared as m. Thus this version appears here for the first time in print and will 
be of special interest to those wishing to focus on the theory contribution in (T4l . 
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computation. She only requires the ability to perform encryption and decryption (for this she needs to be 
able to apply single-qubit Pauli operators); she also must be able to prepare send random qubits chosen from 
a set of four possibilities. This set of states is unitarily equivalent to the set {|0), |1), |+), | —)}, which are 
known as the BB84 states, for the crucial role that they play in the quantum key distribution protocol known 
by the same name |6|. Such a client does not require quantum memory and can be implemented with current 
technology, for instance, using photon polarization ID [13. We suppose that the client is honest and prove 
security against any cheating server via simulations. Similar functionality has been achieved before HlEllll. 

Compared to prior work, our contribution has the advantage of providing a conceptually simple proof of 
correctness, together with a security definition and proof that is applicable to all types of prior information, 
including shared entanglement. Additionally, our protocol is more efficient in terms of quantum and classical 
communication. Compared to ['8], our gain for a general quantum computation is by a constant factor; 
nevertheless, this means that, using current technology [4], our protocol could lead to the experimental 
delegation of a wider class of private quantum computations. 

A sample application of our protocol would be the delegated, private execution of Shor’s algorithm i22ll 
which can be used to factor in polynomial time on a quantum computer (this computation is widely believed 
to be intractable on a classical computer). Since the computation is performed on an encrypted input, the 
server will not know which integer he is factoring; if this integer corresponds to an RSA public key 
then the server will not know which public key he is helping to break. We thus see that quantum computing 
on encrypted data is useful for the delegation of problems that can be solved in quantum polynomial time, 
with the underlying assumption that they cannot be solved in classical polynomial time. 

However, applications of delegating private quantum computations are foreseeable even if it turns out 
that quantum computers are no more powerful than classical ones, since delegated computation on encrypted 
quantum data is also achieved. This could be useful, for instance, to enable a client (with no universal 
quantum computer) to perform quantum circuits on quantum data such as quantum money 1131 or quantum 
coins llT8]l . 

2 Contributions and Related Work 

In order to achieve our results, we consider the scenario of quantum computing on encrypted data: one party 
holds a quantum register while the other party holds the encryption key. It is well known that performing 
a Clifford group circuit (or, more generally, a stabilizer circuit) on quantum data encrypted with the one¬ 
time pad can be achieved non-interactively: the server (holding the encrypted data) applies the target gates, 
while the client (holding secret encryption keys) simply adjusts her knowledge of the encryption key (see 
Sections l4~T] and l4~2l) . What remains in order to perform a universal quantum computation is to show how 
to implement a non-Clifford group gate on encrypted data. 

Our main contribution is a simple protocol for computing a tt/S gate over encrypted data (Figure [T3. 
We define security via simulation and show that the final protocol is secure against any malicious server 
(Section l4~4l) . We use as proof technique the method of transforming a qubit-based protocol into an equiva¬ 
lent protocol that is more easily proved secure, but that involves entanglement. This technique is attributed 
to Shor and Preskill ll23 . who used it in the context of proving the security of the BB84 |Q quantum key 
exchange protocol, and has since appeared in the context of quantum message authentication 01 and cryp¬ 
tography in the bounded-quantum-storage model ifTTI . 

We emphasize that the protocol achieves the same level of privacy as the quantum one-time pad, which 
is the highest possible level of security: it depends only on the correctness of quantum mechanics and in 
particular does not rely on any computational assumptions. In contrast, fully homomorphic encryption fTSll 
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provides computational security only because it uses a public-key encryption scheme. 

We have phrased our contribution in terms of performing a publicly-known circuit on encrypted data. 
Hiding the entire computation is possible simply by executing a universal circuit on an encrypted input, part 
of which contains the description of the target circuit to be implemented. Furthermore, the protocol can 
easily be adapted to allow the server to provide an input. 

Previous results achieve similar (or even identical) functionality, with an similar level of security, but 
require more resources: 

1. The secure assisted quantum computation protocol of Childs fQl, accomplishes the same functionality 
as our protocol, but with a significant difference in that the protocol involves two-way quantum com¬ 
munication and the client needs to be able to execute a two-qubit swap gate. We give more details on 
how our protocol differs from Childs’ in Section 1431 

2. The protocol for universal blind quantum computation of Broadbent, Kashefi and Fitzsimmons fSl] 
achieves a similar functionality, by using more resources. While the goal of blind quantum comput¬ 
ing is first and foremost to hide the computation itself, the protocol also achieves computation on 
encrypted data. Because our protocol does not require that the circuit be hidden, we manage to reduce 
the requirements in terms of communication: while |(8] requires for each gate (including the identity), 
24 bits of forward communication, eight bits of backward communication and eight auxiliary qubits, 
our protocol reduces the communication to null for all but the execution of a non-Clifford group gate; 
in the specific case of fhe n/8 gafe, fhe inferacfion consisfs of a single auxiliary qubif and fwo clas¬ 
sical bifs (one bif in each direcfion). Furfhermore, [8] requires fhaf auxiliary qubifs be prepared from 
a sef of eighf possible sfafes, while we manage fo reduce fhis fo four (see Secfion l431) . Nofe fhaf fhe 
universal blind quanfum compufafion profocol was recenfly experimenfally demonsfrafed [4]. 

3. The profocol for quantum prover interactive proofs of Aharonov, Ben-Or and Eban |Tj esfablishes, 
on fop of fhe funcfionalify fhaf we implemenf, a verification mechanism fo ensure fhaf fhe server is 
performing fhe correcf compufafion. The cosf of fhis consfrucfion is fhaf fhe clienf needs fo prepare 
auxiliary quanfum sysfems of size polynomial in fhe paramefer determining fhe securify of fhe verifi- 
cafion. Our protocol does nol provide any verification mechanism, buf manages to significanfly limif 
fhe quanfum power needed by fhe clienf. 

Finally, our work is relafed to fhe more general scenario of fwo-parfy quanfum compufafion, where if 
is fhe case fhaf both parfies hold keys fo fhe encrypfed quanfum dafa. Dupuis, Nielsen and Salvail lfT2l 
gave a profocol for fwo-parfy secure quanfum compufafion in fhe case of specious (a version of quanfum 
semi-honesf) adversaries. Certain of our sub-profocols display a similarity (local Clifford group gates are 
essenfially identical). However, our confribufion for fhe R-gafe profocol is very differenl since if requires no 
quanfum inferacfion. In fhis respecf, fhe work of lfT2ll is closer fo fhe work of f9]. 

3 Preliminaries 

We assume fhe reader is familiar wifh fhe basics of quanfum informafion ifTOll . Recall fhe following nofafion: 
|-|-) = ;^(|0) + |1)), the Pauli gates X : |/) i—>• \i © 1) and Z : |;) i—> ( —1)''|;), as well as the single-qubit 

Hadamard and phase gates, H : f) i—>• -^(lO) + ( —1)-'|1)), P : |/) i—>• {iff)- Recall also the two-qubit 
gate CNOT : \j)\k) i—)■ \j)\j © k). An EPR-pair is a pair of maximally entangled qubits, -^(lOO) + |11))- 
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3.1 Quantum circuits and circuit identities 

The Clifford Group |[T6l is the set of operators that conjugate Pauli operators into Pauli operators. A univer¬ 
sal gate set for Clifford group circuits consists of the Pauli gates themselves, together with H, P and CNOT. 
Stabilizer circuits are formed by adding the operations of single-qubit measurements and auxiliary qubit 
preparation to the Clifford group circuits. Stabilizer circuits are not universal for quantum computation ifT^ . 
however supplementing with any additional gate outside of the group (such as R : |/) i—)■ or the 

Toffoli gate T : j/) \k)\t) i—>• |/) \k)\£ 0 jk)) is necessary and sufficient for universality. We interchangeably 
refer to the R-gate as the tt/ 8 gate. 

We will make use of the following identities which all hold up to an irrelevant global phase: XZ = ZX, 
PZ = ZP, PX = XZP, RZ = ZR, RX = XZPR, P^ = Z and P'"®^ = (for a,b C {0,1})- 

In order to derive and prove our results, we make use of known techniques for manipulating quantum cir¬ 
cuits. Of significant relevance to our work are the techniques developed by Childs, Leung, and Nielsen ITOl 
to manipulate circuits that produce an output that is correct up to known Pauli corrections. These techniques 
are based on a variant of teleportation introduced by Zhou, Leung, and Chuang ll25l (see Figure [H as well 
as Appendix l^for a derivation of this circuit identity). Here and in the following figures, measuremenfs are 
performed in fhe compufafional basis. 
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Figure 1: X-feleporfafion circuif 


We also use fhe facf fhaf P and Z commufe wifh confrol (Figure |2l). 
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Figure 2: Circuif identify: fhe P-gafe commufes wifh confrol. A similar identify holds if we replace fhe 
P-gafe wifh a Z-gafe. 


Finally, we make use of an enfanglemenf-based circuif fhaf prepares a qubif Z‘^py\+) for uniformly random 
bifs y and d (Figure [3]l. Correcfness of fhis circuif is easy fo verify. 



Z‘'py|0) 

d 


Figure 3: Circuif idenfify: enfanglemenf-based circuif fhaf prepares a qubif Z‘^py\+) for uniformly random 
bifs y and d (here, y is chosen uniformly af random, and d is defermined by fhe measuremenf). The circuif 
in fhe dashed box prepares an EPR-pair. 


3.2 Classical and quantum encryption 

The classical one-time pad is an encrypfion procedure fhaf maps each bif j of a plainfexf fo ; 0 r for a 
uniformly random key bif r (which we denote r Gr {0,1}). Since fhe cipherfexf / 0 r is uniformly random 
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(as long as r is unknown), the plaintext ] is perfectly concealed. The quantum one-time pad llH is the 
quantum analog of the classical one-time pad. The encryption procedure for a single qubit consists of 
uniformly randomly applying an operator in {l,X, Z, XZ}, or equivalently, applying X“Z^ for uniformly 
random bits a and h (here, I is the identity). This maps any single qubit to the maximally mixed state on one 
qubit, which we denote I 2 ; thus the quantum plaintext is perfectly concealed. 

3.3 Quantum registers and channels 

A quantum register is a collection of qubits in some finite dimensional Hilbert space, say A!. We denote 
D(A’) the set of density operators acting on A!. The set of all linear mappings from A" to 3^ is denoted 
by L(Ai,y), with L(A’) being a shorthand for L(A’, A"). A linear super-operator O : L(A’) —)■ L(3^) is 
admissible if it is completely positive and trace-preserving. Admissible super-operators represent mappings 
from density operators to density operators, that is, they represent the most general quantum maps. 

Given admissible super-operators O and Y that agree on input space L(A:’) and output space L(3^), 
we are interested (for cryptographic purposes) in characterizing how “indistinguishable” these processes 
are. The diamond norm provides such a measure: given that O or Y is applied with equal probability, 
the optimal procedure to determine the identity of the channel with only one use succeeds with probability 
1/2+ ||0-Y||o/4. Here, |lO-Y||o = max{||(0 0 l>v)(| 0 ) - (Y 0 lw)(|0) ||i : p S D(A’G) W)}, 
where W is any space with dimension equal to that of A! and lyy is the identity in L(>V), and where the 
trace norm of an operator X is defined as ||X||i = Tr\/X*X. 

4 Delegating private quantum computations 

A general quanfum circuif can be decomposed info a sequence of fhe following: gales in {X, Z, H, P, CNOT, R}, 
auxiliary qubil preparalion in |0) and single-qubif compufafional basis measuremenfs (sfriclly speaking, Ihis 
sel is redundanf; fhe choice of fhese gales will become clear laler). We show in fhe following secfions lhal 
Ihese operafions can be executed by a server who has access only lo fhe inpuf in ils encrypted form (where 
fhe encrypfion is fhe quanfum one-lime pad), and we show lhal fhe oulpuf can neverfheless be decrypled by 
fhe clienl, and lhal fhe server does nol learn anyfhing aboul fhe inpuf. In order lo accomplish Ibis, we give a 
series of prolocols, each accomplishing fhe execulion of a circuif elemenl. For each such protocol, fhe clienl 
(who knows fhe encrypfion key for fhe inpuf fo fhe profocol) can compute a decryption key lhal, if applied 
to fhe oulpuf of fhe profocol, would resull in fhe oulpuf of fhe circuif elemenl applied lo fhe unencrypted 
inpuf. 

Secfions [4. 1 1 and |4~2] show protocols for sfabilizer circuif elemenls, while Section 1431 gives a protocol 
for a non-Clifford group gate (Ihis is fhe only gate lhal uses inleraclion). In all cases, we give explicil 
conslruclions for pure slales; if is slraighlforward lo verify lhal Ihe same conslruclions work on systems lhal 
are enlangled. 

We can see each of Ihe protocols as gadgels lhal implemenl a circuif elemenl, up to a known re- 
inlerprelalion of Ihe key. In order to execute a larger largel circuil, each of ils circuif elemenls is executed in 
sequence as one of Ihese gadgels; il is sufficienl for Ihe clienl to re-adjusl her knowledge of Ihe encryption 
keys on each relevanl quanfum wire after each gadget Our protocol for quanlum computing on encrypted 
dala is given as: 

1. The clienl encrypls her register wilh Ihe quanlum one-time pad and sends Ihe encrypted register to Ihe 
server. 
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2. The client and server perform the gadgets as given in Section l4n - l4.31 according to the circuit that is 
to be executed, with the client re-adjusting the encryption keys on each relevant quantum wire after 
each gadget. 

3. The server returns the output register to the client, who decrypts it according to the key that she has 
computed. 

Note that this high-level protocol does not involve any interaction other than the sending (Step [Hi and 
receiving (Step [3]) of the encrypted data. Only a single gadget in the implementation of Step |2] in our 
construction is interactive (Section 1431) . and the quantum part of this interaction is one-way (from the client 
to the server), consisting of the sending of a single random auxiliary qubit in {-^(lO) + |1))/ + 

i|l)),-^(|0) — |1))/'^(|0) — tjl))}, which can be sent, without loss of generality, at the beginning of 
the protocol. Thus our protocol for quantum computing on encrypted data is interactive, but completely 
classical, except for the initial sending of auxiliary random single-qubit states, as well as for the sending 
of the input and output registers (if they are quantum). Furthermore, a target circuit that implements only 
Clifford group operations can be executed with no interaction at all (except for the interaction in Steps [T] 
and [3]). We now proceed to give the protocols (Sections 14.1114.21 and 14.31) . Security is formally defined via 
simulation and proved in Section l4~4l 

4.1 Protocols for measurement and auxiliary qubit preparation 

The protocol for measuring a single qubit in the computational basis is given in Figure |4l the server simply 
performs a measurement on the encrypted qubit. The corresponding wire thus goes from a quantum wire 
(with encryption operation X'^Z^) to a classical wire (with encryption key a); the client can easily take this 
into account. 


x“zdi/7) 



fl 0 y 


Figure 4: Protocol for measurement. Here, y denotes the outcome of the measurement on the unencrypted 
input \tp). 


As represented in FigurejS) the server may prepare an unencrypted auxiliary qubit in the |0) state and incor¬ 
porate it into the computation. The client simply sets the encryption key for this qubit to be 0. 

|0) - X0Z0|0) 

Figure 5: Protocol for auxiliary qubit preparation. 


4.2 Protocols for Clifford group gates 

A series of well-known relationships between the Pauli matrices and Clifford group operations lIThl is the 
basis for the protocols given in Figures IhUTOl Specifically, since fhe X and Z gales commute or anli-commule 
(and since we can safely ignore a global phase). Figures 0 and [7] can easily be seen as implemenfing a 
protocol for (he X and Z-ga(es. Similarly, (he relation HX = ZH is sufficienf to show (he H-ga(e prolocol 
given in FigureHl and (he facls (ha( PZ = ZP and PX = —iZXP show (he P-ga(e prolocol given in FigurejO] 
Finally, (he prolocol for (he CNOT-gale as given in Figure[T0]can be verified in a similar way. 
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Strictly speaking, in order to achieve universality, we do not need all of the protocols given above: once 
we have the protocol for the R-gate (given in Section 1431 below), it is sufficient to combine it with the 
protocols for CNOT and H for universality. This can be seen since P = R^, Z = and X = HZH. 
However, each of these decompositions requires at least two R-gates, and as we will see below, the protocol 
for an R-gate is relatively expensive (it uses an auxiliary qubit and classical interaction). It can thus be 
preferable to decompose a circuit into the redundant gate set that we have used as this reduces the cost of 
many gates. Also, by giving explicit protocols for all of these circuit elements, we have established that 
a stabilizer circuit can be performed on encrypted data without any interaction whatsoever, except for the 
exchanging of the encrypted data register. 


X«Z^|i/j) 



X“Z^X|i/7) 


Figure 6: Protocol for an X-gate. 


XV^|t/;) 



XV^Zlt/;) 


Figure 7: Protocol for a Z-gate. 


XV^Ii/;) 



X^Z"H|t/^) 


Figure 8: Protocol for an H-gate. 





X"Z"+^P|i/;) 


Figure 9: Protocol for a P-gate. 


(X"Z^0X"Z‘^)|t/^) ^ 




(X«z'’+‘^ 0 X“+"Z‘^)CNOT|t/;) 


Figure 10: Protocol for a CNOT-gate. Here, |i/?) is a two-qubit system. 


4.3 Protocol for a non-Clifford group gate 

The only remaining gate required to implement universal quantum computation is a non-Clifford group gate. 
We choose the R-gate. 

Our first attempt at a protocol for an R-gate (Figure [TT]) follows the protocols given in the previous sec¬ 
tion: the server simply applies the R-gate to the encrypted data. However, this does not immediately work, 
since RX = XZPR and so in the case that an X-encryption is present, the output picks up an undesirable P 
gate (this cannot be corrected by applying Pauli corrections). In f9], Childs arrives at this same conclusion, 
and then makes the astute observation that, in the case where a = 1, the server could be made to correct this 
erroneous P-gate by executing a correction (which consists of ZP). As long as the server does not find ouf 
if fhis correcfion is being execufed or nof, securify holds. 

This is where our approach fakes a significanfly differenf roufe compared fo [91 or even IfT^ : while fhese 
references solve fhis problem wifh two-way quanfum communication, we solve if wifh classical inferacfion 
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X^Z^\ip) -R- XV‘'®^P«R|i/;) 


Figure 11: First attempt at a protocol for an R-gate; output requires a P correction if n = 1. 


Server < 


Client 



^fl©c2fl(c©y©l)©fc©d©vp| 


Figure 12: Protocol for an R-gate. 


and a single forward auxiliary qubit randomly chosen out of four possibilities. See Figure [T^ as well as the 
proof of correctness in Appendix lAl 

Compared to O, we manage to halve the size of the set from which random qubits are chosen (from 
eight to four). This can be seen as due to the fact that f8| directly implements a hidden R-gate, while 
in Figure [T^ the server first applies the R-gate, and applies a correction by performing a hidden P-gate, 
requiring less resources than a hidden R-gate. 

4.4 Correctness and Security 

Given that the correctness of each gadget has been shown, correctness of the main protocol is obvious: after 
each gadget, the client adapts her knowledge of the keys used to encrypt the system according to Figure [5]- 
\Y2\ each gadget itself is correct, so the entire protocol implements the quantum circuit as desired. 

Our protocol provides the same level of security as the one-time pad (Section [3]), that is, it provides 
perfect (information-theoretic) privacy. The rest of this section formalizes the definition of privacy based on 
simulations and gives a proof based on the technique of giving an equivalent, entanglement-based protocol 
(see Section O. For our definition of privacy, we have used notions similar to those introduced by Watrous 
in the context of quantum zero-knowledge interactive proof systems |[24ll . 

Formally, a protocol for delegated computation is specified by a pair (C, S) represenfing an honesf clienf 
and an honesf server (wifhouf loss of generalify, bofh parlies are quanlum). As Ihe clienf is always honesf, 
the security property concerns interactions between pairs {C,S') where S' deviates arbitrarily from S. At 
the onset of the protocol, both parties agree on the classical input q which determines the general quantum 
circuit to be executed as an ordered series of gates acting on specified wires. The slruclure of Ihe inleracfion 
belween C and S is Ihus defermined by q. At Ihe same lime, a quanlum inpul pin G D(C G) 5) is dislribufed, 
C receiving Ihe register in C and S receiving Ihe regisler in S. A chealing server S' is any quanlum compu- 
lalional process lhaf inferacls wifh C according lo fhe message slruclure defermined by q. By allowing S' 
access lo fhe inpuf regisler S, we explicilly allow S' lo share prior enlanglemenl wifh C’s inpul; Ihis also 
models any prior knowledge of S' and formalizes Ihe nolion lhal Ihe protocol cannol be used to increase 
knowledge. 

Lei Z denote Ihe oulpul space of S' and lei 0,^ : L(5 G) C) L(Z) he fhe mapping induced by Ihe 
inleraclion of S' wifh C. Securily is defined in terms of fhe existence of a simulator y’gi for a given server S', 
which is a general quanlum circuil lhal agrees wilh S' on Ihe inpul and oulpul dimensions. Such a simulator 































does not interact with C, but simply induces a mapping : L(5 ( 8 ) C) —?■ L(2) given by ^g'itrcPm) on 
each input q. Informally, (C, S) is private if the two mappings, and are indistinguishable for every 
choice of q and every choice of pin- Allowing for an e amount of leakage, we formalize this as the following: 
A protocol (C, S) for a delegated quantum computation is e-private if for every server S' there exists a 
simulator ^ 5 / such that for every classical input q,\\<^q — < e, where <t>q is the mapping induced by 

the interaction of S' with the client C on input q and is the mapping induced by on input q. 

Taking e = 0 gives the strongest possible security against a malicious server: it does not allow for even 
an e amount of leakage, and allows the server to deviate arbitrarily (without imposing any computational 
bounds). This is the level of security that we claim for our protocol for delegated quantum computation: it 
is e-private, with e = 0. The proof follows (although we do not formalize this notion here, we note that our 
proof method provides a simulator with the often-desirable property that it runs with essentially the same 
computational resources as the deviating server). 

Fix a value for q. We construct a simulator ^ 5 / by giving instructions how to prepare messages that 
replace the messages that the client C would send to the server S' in the real protocol. Privacy follows since 
we will show that these transmissions are identical to those in the real protocol. 

A high-level sketch of the proof is that we modify the behaviour of the client in the main protocol 
(Protocol 1) in a way that the effect of the protocol is unchanged (meaning that both the output of the 
protocol and the view of the server is unchanged), yet the client delays introducing her input into the protocol 
until after her interaction with the server has ended (this makes the simulation almost trivial). In order to 
do so, we describe below an entanglement-based protocol (Protocol 2) as well as a delayed-measurement 
protocol (Protocol 3). 

We first consider Protocol 2, which is an entanglement-based version of Protocol 1. In Protocol 2, 
we modify how the client prepares her messages, without modifying the server’s actions or the effect of 
the protocol. Thus, the preparing and sending of an encrypted quantum register in step [T] of Protocol [T] is 
replaced by an equivalent teleportation-based protocol, as given in Figure [13] Also, the R-gate protocol in 
step|2|of Protocol 1 is replaced by an equivalent protocol as given in Figure [TS] The protocol of Figure [15] 
can be seen to be correct via an intermediate protocol (Figure [14]), in which the classical bit x from the 
client to the server becomes a uniformly random bit; this transformation is possible because in the protocol 
of Figure [E] x = a (By with y a random bit. Then choosing x to be random and y = a (B x gives an 
equivalent protocol. The final entanglement-based protocol of Figure [T5]is seen to be correct via the circuit 
identity given in Figure [3] The remaining protocols for stabilizer circuit elements are non-interactive and 
thus unchanged in Protocol 2. 

The main advantage of considering Protocol 2 instead of Protocol 1 is that we can delay all the client’s 
measurements (in Figures [13] and [15]) until the output register is returned in step [3] of Protocol 1, without 
affecting the computation or the server’s view of the protocol (because actions on different subsystems 
commute); call the result Protocol 3. In this delayed-measurement protocol, the messages from the client 
to the server can be chosen before any interaction with the server, and are thus clearly independent of the 
actions of S'. 

Thus we construct a simulator 5^$’ that plays the role of the client in Protocol 3, but that never performs 
any measurements (thus, access to the actual input is not required). By the argument above, , 5 ^ 5 / actually 
prepares the same transmissions as would C in Protocol 1 interacting with S' on any input pi-n- It follows 
that simulating S' on these transmissions will induce the same mapping as S' in the real protocol, and thus 

||0^-Y^||o = 0. 

Note that a malicious server may not necessarily follow the protocol, thus possibly interfering with the 
computation. Our protocol does not guard against this; detecting a cheating server can be done using a 
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Figure 13: Protocol to encrypt and send a qubit using teleportation||7]. The circuit in the dashed box prepares 
an EPR-pair. 


Server < 


Client 



Xff©c2«(c©v©l)©b©d©i/p|^^ 


Figure 14: Intermediate Protocol for an R-gate. Compared to Figure [T2l the classical message from the 
client to the server is chosen uniformly at random. This protocol performs the same computation as the 
protocol in Figure [T^ 


Server 


Client 



^fl©c2fl(c©y©l)©fc©rf©vp| 
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Figure 15: Entanglement-based protocol for an R-gate. This protocol performs the same computation as the 
protocols in Eigures[l2]and[T4l The circuit in the dashed box prepares an EPR-pair. 


quantum authentication code as is done in fll (albeit by requiring the client to have more quantum 
power). It is important to note however that our privacy definition and proof holds against such a malicious 
server. 
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A Correctness of the R-gate protocol 

We give below a step-by-step proof of the correctness of the R-gate protocol as given in Figure [12] The 
basic building block is the circuit identity for an X-teleportation from Il25]l . which we re-derive here. 


1. Our first circuit identity swaps a qubit \xp) with the state |+) and is easy to verify. 


\^) 

1 +) 






1 +) 

\^) 


2. We can measure the top qubit in the above circuit and classically control the output correction. We 
have thus re-derived the circuit corresponding to the “X-teleportation” of |[25l . 

3. Next, we re-define the input to be RX“Z^|t/j), so the output becomes X‘^RX"Z^|j/j) = X"®‘^Z"®^P'’R|t/;). 
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4. Then add three gates (P^', 7“^, to the bottom wire (see circuit below). Applying identities from 

Section [3l we get as output what we expect: 

p«©yZ‘^p3/X'^®‘^Z'^®^P“R|t/j) 

_pfl+y^it pyX'*®‘-2^®^P‘* R| 

_ ^d©fl-i/©ypflX'^®‘^2**®^ P^ R| 

_ 2‘^©fl-y©yx“®‘^z‘^^‘'®‘^^P”Z‘*®^P'’R|i/7) 

_ x®©r2‘i©«-y©y©fl^©«-c2f'p|j^^ 

_ •^a®c-^a{c(i 


X^Z^lip) 



|-|-^ _ py _ _X_ pa®y _ x“®‘^Z‘'(‘^®y®^^®^®'^®J^R|tp) 
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